[SECURITY-1951]

Author: Pldi23

pom.xml

@@ -124,31 +124,36 @@
             <artifactId>workflow-support</artifactId>
         </dependency>
 
-        <!-- test only plugins -->
         <dependency>
-            <groupId>org.jenkins-ci.plugins.workflow</groupId>
-            <artifactId>workflow-support</artifactId>
-            <classifier>tests</classifier>
-            <scope>test</scope>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>variant</artifactId>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
-            <artifactId>workflow-job</artifactId>
-            <scope>test</scope>
+            <artifactId>workflow-multibranch</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>branch-api</artifactId>
+            <optional>true</optional>
         </dependency>
+
+        <!-- test only plugins -->
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
-            <artifactId>workflow-basic-steps</artifactId>
+            <artifactId>workflow-support</artifactId>
+            <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
-            <artifactId>workflow-durable-task-step</artifactId>
+            <artifactId>workflow-basic-steps</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
-            <artifactId>workflow-multibranch</artifactId>
+            <artifactId>workflow-durable-task-step</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -203,10 +208,5 @@
             <version>1.10.1</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>branch-api</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 </project>

src/main/java/org/jenkinsci/plugins/workflow/libs/MultibranchScmRevisionVerifier.java

@@ -0,0 +1,60 @@
+package org.jenkinsci.plugins.workflow.libs;
+
+import hudson.AbortException;
+import hudson.model.Job;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import hudson.scm.SCM;
+import jenkins.branch.Branch;
+import jenkins.scm.api.SCMHead;
+import jenkins.scm.api.SCMRevision;
+import jenkins.scm.api.SCMRevisionAction;
+import jenkins.scm.api.SCMSource;
+import jenkins.scm.api.SCMSourceOwner;
+import org.jenkinsci.plugins.variant.OptionalExtension;
+import org.jenkinsci.plugins.workflow.multibranch.BranchJobProperty;
+
+import java.io.IOException;
+
+@OptionalExtension(requirePlugins={"workflow-multibranch"})
+public class MultibranchScmRevisionVerifier implements SCMSourceRetrieverVerifier {
+
+    /**
+     * Abort library retrieval if the specified build is from a Multibranch Pipeline configured to build the library's SCM and the revision being built is untrusted.
+     * Comparable to the defenses against untrusted users in {@code SCMBinder}, but here we care about the library rather than the Jenkinsfile.
+     * @throws AbortException if the specified build is from a Multibranch Pipeline configured to build the library's SCM and the revision being built is untrusted
+     */
+    @Override
+    public void verify(Run<?, ?> run, TaskListener listener, SCM libraryScm, String name) throws IOException, InterruptedException {
+        // Adapted from ReadTrustedStep
+        Job<?, ?> job = run.getParent();
+        BranchJobProperty property = job.getProperty(BranchJobProperty.class);
+        if (property == null || !(job.getParent() instanceof SCMSourceOwner)) {
+            // Not a multibranch project, so we do not care.
+            // It is possible to use legacySCM(scm) from a non-multibranch Pipeline that uses CpsScmFlowDefinition,
+            // but in that case we implicitly trust the changes because only a user with Item/Configure permission can select which branches to build.
+            return;
+        }
+        Branch pipelineBranch = property.getBranch();
+        SCMSource pipelineScmSource = ((SCMSourceOwner)job.getParent()).getSCMSource(pipelineBranch.getSourceId());
+        if (pipelineScmSource == null) {
+            throw new IllegalStateException(pipelineBranch.getSourceId() + " not found");
+        }
+        SCMHead head = pipelineBranch.getHead();
+        SCMRevision headRevision;
+        SCMRevisionAction action = run.getAction(SCMRevisionAction.class);
+        if (action != null) {
+            headRevision = action.getRevision();
+        } else {
+            headRevision = pipelineScmSource.fetch(head, listener);
+            if (headRevision == null) {
+                throw new AbortException("Could not determine exact tip revision of " + pipelineBranch.getName());
+            }
+            run.addAction(new SCMRevisionAction(pipelineScmSource, headRevision));
+        }
+        SCMRevision trustedRevision = pipelineScmSource.getTrustedRevision(headRevision, listener);
+        if (!headRevision.equals(trustedRevision) && libraryScm.getKey().equals(pipelineScmSource.build(head, headRevision).getKey())) {
+            throw new AbortException("Library '" + name + "' has been modified in an untrusted revision");
+        }
+    }
+}

src/main/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetriever.java

@@ -174,6 +174,9 @@ private static <T> T retrySCMOperation(TaskListener listener, Callable<T> task)
 
     @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE", justification = "apparently bogus complaint about redundant nullcheck in try-with-resources")
     static void doRetrieve(String name, boolean changelog, @NonNull SCM scm, String libraryPath, FilePath target, Run<?, ?> run, TaskListener listener) throws Exception {
+        for (SCMSourceRetrieverVerifier revisionVerifier : SCMSourceRetrieverVerifier.all()) {
+            revisionVerifier.verify(run, listener, scm, name);
+        }
         // Adapted from CpsScmFlowDefinition:
         SCMStep delegate = new GenericSCMStep(scm);
         delegate.setPoll(false); // TODO we have no API for determining if a given SCMHead is branch-like or tag-like; would we want to turn on polling if the former?

src/main/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetrieverVerifier.java

@@ -0,0 +1,21 @@
+package org.jenkinsci.plugins.workflow.libs;
+
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import hudson.scm.SCM;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.io.IOException;
+
+@Restricted(NoExternalUse.class)
+public interface SCMSourceRetrieverVerifier extends ExtensionPoint {
+
+    void verify(Run<?, ?> run, TaskListener listener, SCM scm, String name) throws IOException, InterruptedException;
+
+    static ExtensionList<SCMSourceRetrieverVerifier> all() {
+        return ExtensionList.lookup(SCMSourceRetrieverVerifier.class);
+    }
+}

src/test/java/org/jenkinsci/plugins/workflow/libs/SCMRetrieverTest.java

@@ -24,11 +24,18 @@
 
 package org.jenkinsci.plugins.workflow.libs;
 
+import java.io.IOException;
 import java.util.Collections;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.Result;
+import hudson.model.TaskListener;
 import jenkins.branch.BranchSource;
 import jenkins.plugins.git.GitSCMSource;
 import jenkins.plugins.git.GitSampleRepoRule;
 import jenkins.plugins.git.traits.BranchDiscoveryTrait;
+import jenkins.scm.api.SCMHead;
+import jenkins.scm.api.SCMRevision;
+import jenkins.scm.api.SCMSource;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject;
@@ -38,6 +45,7 @@
 import org.junit.Test;
 import org.junit.Rule;
 import org.jvnet.hudson.test.BuildWatcher;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.Url;
 
@@ -89,4 +97,49 @@ public class SCMRetrieverTest {
         r.assertLogContains("hello to earth", r.waitForCompletion(m1));
     }
 
+    @Issue("SECURITY-1951")
+    @Test public void untrustedUsersCanOverideLibraryWithOtherSource() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("vars/greet.groovy", "def call(recipient) {echo(/hello to $recipient/)}");
+        sampleRepo.write("src/pkg/Clazz.groovy", "package pkg; class Clazz {static String whereAmI() {'master'}}");
+        sampleRepo.write("Jenkinsfile", "def lib = library identifier: 'stuff@snapshot', retriever: legacySCM(scm); greet(lib.pkg.Clazz.whereAmI())");
+        sampleRepo.git("add", "vars", "src", "Jenkinsfile");
+        sampleRepo.git("commit", "--message=init");
+
+        sampleRepo.git("checkout", "-b", "fork");
+        sampleRepo.write("src/pkg/Clazz.groovy", "package pkg; class Clazz {static String whereAmI() {'fork'}}");
+        sampleRepo.git("commit", "--all", "--message=branching");
+
+        WorkflowMultiBranchProject mp = r.jenkins.createProject(WorkflowMultiBranchProject.class, "mp");
+        String libraryName = "stuff";
+        mp.getProperties().add(new FolderLibraries(Collections.singletonList(new LibraryConfiguration(libraryName, new SCMSourceRetriever(new GitSCMSource(null, sampleRepo.toString(), "", "*", "", true))))));
+
+
+        SCMSource warySource = new WarySource(sampleRepo.toString());
+        mp.getSourcesList().add(new BranchSource(warySource));
+        WorkflowJob job = WorkflowMultiBranchProjectTest.scheduleAndFindBranchProject(mp, "fork");
+        r.waitUntilNoActivity();
+        WorkflowRun run = job.getLastBuild();
+        r.assertBuildStatus(Result.FAILURE, run);
+        r.assertLogContains("Library '" + libraryName + "' has been modified in an untrusted revision", run);
+    }
+
+    public static class WarySource extends GitSCMSource {
+
+        public WarySource(String remote) {
+            super(null, remote, "", "*", "", false);
+        }
+        @Override
+        @NonNull
+        public SCMRevision getTrustedRevision(@NonNull SCMRevision revision, @NonNull TaskListener listener) throws IOException, InterruptedException {
+            String branch = revision.getHead().getName();
+            if (branch.equals("master")) {
+                return revision;
+            } else {
+                listener.getLogger().println("not trusting " + branch);
+                return fetch(new SCMHead("master"), listener);
+            }
+        }
+    }
+
 }